guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: 0.9.12 issue with LDAP host groups
Date Sat, 08 Jul 2017 06:05:37 GMT
What happens if you query the LDAP directory as each of the users in
question, listing all guacConfigGroup objects?

When a user authenticates with Guacamole via LDAP, Guacamole will
attempt to bind to the LDAP directory using that user's credentials,
and the query retrieving available connections will be executed as
that LDAP user. If something is causing the results of those queries
to be different depending on the user, perhaps running similar queries
as those users manually using a standard LDAP utility will be
revealing.

- Mike


On Wed, Jul 5, 2017 at 12:54 PM, evan.hisey <evan.hisey@noaa.gov> wrote:
> I am using the Docker guacamole containers for 0.9.12 and have them correctly
> authenticating to LDAP, however only one user in a guacamole host group  is
> recognized as having access to a host rdp. To wit
>
> LDAP HOST GROUP:
> dn: cn=cee-rdp,cn=groups,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=gov
> objectClass: guacConfigGroup
> objectClass: nestedGroup
> objectClass: groupOfNames
> objectClass: posixGroup
> objectClass: ipaUserGroup
> objectClass: top
> objectClass: ipaObject
> cn: cee-rdp
> gidNumber: 1370800062
> guacConfigProtocol: rdp
> ipaUniqueID: 4bd337f4-5ac6-11e7-a3b2-0050568843ac
> guacConfigParameter: hostname=nwcal-cee-ti1.nwc.nws.noaa.gov
> member: uid=evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=
>  gov
> member: uid=alt-evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa
>  ,dc=gov
>
> Console output of container when users login:
> 20:11:09.908 [http-nio-8080-exec-3] INFO  o.a.g.r.auth.AuthenticationService
> - User "alt-evan.hisey" successfully authenticated from 10.3.0.30.
> 20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService -
> guacConfigGroup "cee-rdp" is missing the required "guacConfigProtocol"
> attribute.
> 20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService -
> guacConfigGroup "common-dev1-rdp" is missing the required
> "guacConfigProtocol" attribute.
> 20:11:19.820 [http-nio-8080-exec-10] INFO
> o.a.g.r.auth.AuthenticationService - User "evan.hisey" successfully
> authenticated from 10.3.0.30.
> 20:11:20.556 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService
> - User "evan.hisey" connected to connection "cee-rdp".
>
> Both users are in the correct host group, but only the second user actually
> gets the guacConfigProtocol.  I am at a bit of a lose as to what could be
> causing this.
>
>
>
> --
> View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/0-9-12-issue-with-LDAP-host-groups-tp1261.html
> Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.

Mime
View raw message